NotPetya ransomware outbreak cost Merck more than $300M per quarter

The full financial impact of the NotPetya ransomware campaign is still being tallied and, for pharmaceutical giant Merck, things don't look good. According to the firm's Friday earnings call, the attack cost them more than $300 million in Q3 alone, and is on track to hit that amount again in Q4 as well.

On the call, Merck CFO Robert Davis said that NotPetya had "negatively impacted third-quarter results, including an unfavorable revenue impact of approximately $135 million from lost sales and approximately $175 million in costs, spread across the cost of goods sold and the operating expense lines. We anticipate a similar impact to revenue and expenses in the fourth quarter, which is reflected in our updated guidance."

Due to a production shutdown caused by the attack, Merck saw sales reductions of around $240 million. This was because of "borrowing from the U.S. Centers for Disease Control and Prevention Pediatric Vaccine Stockpile of GARDASIL 9 (Human Papillomavirus 9-valent Vaccine, Recombinant), a vaccine to prevent certain cancers and other diseases caused by HPV" and a higher-than-expected demand, Merck officials noted on the call.

The financial woes weren't the only problem. The initial attack wreaked so much havoc that employees weren't even allowed to work. It impacted the firm's email system and also messed with sales.

As big of an impact as $310 million is for Merck, it seems to be par for the course for major enterprises that are dealing with the aftermath of such attacks. Shipping giant Maersk faced losses of $200-300 million and NotPetya got FedEx for $300 million as well.

It wasn't just enterprises that were hit hard by ransomware: SMBs were a big target too. Due to their limited resources, they are often at high risk of attack, as TechRepublic's Alison DeNisco Rayome reported. Overall, SMBs paid about $301 million to ransomware attackers in 2016 alone.

NotPetya wasn't the only culprit either. Other major campaigns such as Petya, WannaCry, and Locky also caused massive damage. For some of the NHS victims of WannaCry, it took more than a week to get back to business after the attack.

A recent report also claims that the NHS was warned of potential patches a month before the attacks started hitting and didn't do anything about it. If Merck's story is any indication, CISOs around the world should be putting money aside to mitigate the impact of such attacks, and do all they can to prevent such an attack from happening in the first place.

The 3 big takeaways for TechRepublic readers

Pharmaceutical giant Merck lost roughly $310 million in dealing with the devastating effects of the NotPetya ransomware outbreak, company officials said on an earnings call.

Additionally, shipping firm Maersk and logistics company FedEx both took hits in the ballpark of $300 million as well, from the same attack.

CISOs should take Merck's story as a warning, stockpiling cash to deal with the aftereffects of such an attack and patching needed software.

Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays